[cifs-protocol] 115070812924583 No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
srenaden at microsoft.com
Tue Aug 4 18:39:07 UTC 2015
Although I don't have the exact repro that you used, I've debugged it further and found that if the checksum type is NOT 0x8003, windows ignores such checksum value.
Microsoft Windows Open Specifications
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, July 30, 2015 8:49 PM
To: Sreekanth Nadendla
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: Re: 115070812924583 No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
On Thu, 2015-07-30 at 21:59 +0000, Sreekanth Nadendla wrote:
> Hello Andrew,
> Per section 4.1.1 rfc4121, the Authenticator
> checksum type must be 0x8003 which is GSSAPI checksum. So when you say
> "is a non-GSSAPI checksum ever checked ?" what do you mean by that ?
> Are you asking if the checksum is present in AP REQ Authenticator,
> whether windows verifies if it's type is GSSAPI checksum type
> (0x8003) ? If so the answer is yes, it does.
If the checksum present, but is not 0x8003, what happens?
Our tests show that a value other than 0x8003 is accepted. Samba currently implements that by validating it using the krb5 checksum routine appropriate to the value, what does windows do?
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the cifs-protocol